Estimated time: 15 min

Associated Concepts

Software updates Partial code patches for the operating system that seek to improve functionality and correct new security vulnerabilities.
Encryption Ability to transform a message into something unintelligible for others, but also being able to revert it to the original content by those who must have access to the data.
Disc or device encryption Process that allows encrypting the entire contents of a computer's hard disk in such a way that it is only accessible and usable when a password or other authentication method is applied when switching on.
Pirated Software Any software that is installed out of the official channels without paying their licensing value.
Malware Any malicious software that executes actions on a computer without authorization from its owner or responsible party.
Phishing A series of attacks that use identity theft as a mechanism to get a user to perform an action harmful to oneself, the equipment used, the data stored and network linked to.
Password Sequence of secret characters that are used to enter a service or device.
Credentials The union of usernames and passwords, are given to identify a user. These credentials increasingly include other factors such as biometric aspects and temporary security codes.
VPN (Virtual Private Network) Technology that allows treating devices that can be in remote locations as part of an internal network, frequently used by organizations to unite in a single network several computers in dispersed locations. A particular application of this technology allows private users to encrypt the content of their Internet connections between their devices and places considered safe before reaching the Internet, they are generally used to protect surveillance traffic and access to blocked content.
Tor Network infrastructure that allows surfing the internet redirecting data by random points around the world. These data travel encrypted and the system is designed to provide anonymity and protection against surveillance.
URL Character sequences that allow locating resources on the internet, it means Universal Resource Locator. http: //sdamanual.org is an example of URL.
Antivirus Software that analyzes files in searching for known pieces of malware. They generally hold a database of previously identified threats, then compare file by file with this database to detect any possible matches.
PGP / GnuPG / GPG A set of technologies that allow applying principles of asymmetric encryption (which is considered much more secure than traditional techniques) to messages and files in computer equipment. It is generally used as an advanced security strategy given the effort required for its implementation and the high level of security it provides.
Password Manager Software that allows you to store previously designed passwords and recover them when needed. Generally they allow generating passwords with much greater length and complexity since it is not necessary to remember them at the moment of their use.
Authentication in 2 factors or authentication in 2 steps Authentication technique based on request to enter a service in addition to a password, another element related to something that the user physically possesses, such as a cell phone, a physical token, a card with codes, etc.

Justification

Currently, most organizations use technology within their processes, this technology inevitably has vulnerabilities and is prone to fail or be abused. Taking this into account, the idea of this policy is to provide safe use guidelines to the entry points of any member of the team, both at the level of devices and services on the Internet to protect the organization in the best possible way. Specifically, basic security measures in the use of mobile or desktop devices are described, widely used services such as email and social networks, the construction, and management of passwords and other means of authentication within the organization.

Input data

Policies to be developed

The Acceptable use policy, accounts, and passwords to be developed in this activity, abstracts existing contents in the following policies described in standardized reference frames:

  • Acceptable Device Use Policy: Defines basic conditions for safe use of computers, telephones, and other mobile equipment. It usually deals with topics such as access passwords, computer lock, encrypt and incident reporting among others.
  • Acceptable Internet use policy: It establishes some security principles related to the use of browsers and other applications that connect to the internet in order to protect both equipment and data contained in it.
  • Acceptable electronic mail use Policy: Establishes specific guidelines for the use of electronic mail. In principle, it seeks to reduce phishing attacks, exfiltration of information and computer infections by malware, it may also include guidelines for the purposes in which mail, language, and other relevant aspects are used to a proper use of electronic mail in the organization.
  • Acceptable Social network use policy: Determines security measures to be taken in the use and administration of the organization’s social networks. It usually has a set of general rules and other specific rules for each service of interest.
  • Account and password policy: This policy establishes a set of rules that govern the creation, use, and maintenance of passwords in different services and access to devices, in case the organization manages some of its own systems, you can specify a password management guidelines for your users. Sometimes, this policy also considers aspects other than passwords, such as biometrics or other authentication factors.

Guiding questions

  1. What is the scope of the proposed policy?
    • Who does this policy affect?
    • Does it include devices owned by the organization or any other equipment used to work on it?
    • Does it include computers or mobile devices?
    • What email and social media services are included?
  2. Who is responsible for implementing and maintaining security measures in the devices?
  3. What are the general safety measures and directives on the management of devices?
  4. What are the general security considerations when using any communication channel?
  5. What are the general security measures when using the internet?
  6. What are the general security considerations to follow in the management of user accounts?
  7. What security policies should be implemented with the services self-managed by the organization?
  8. What are the security guidelines that should be followed when managing accounts with services hosted by third parties?
    • Email
    • Social networks
    • Other services
  9. What security aspects should be considered around the management of passwords and other authentication mechanisms?

1. Scope of the policy

In summary, the scope associated with this policy covers the following aspects:

  • To which people this policy impact: generally all members of the organization and allies who work on specific projects are included.
  • What equipment this policy impact:
    • If there is only devices include that is owned by the organization or if it also includes the devices owned by the members of the organization used for professional purposes (work model Bring your own device - BYOD).
    • If it includes computers and/or phones and other mobile devices.
  • What type of digital services covers: whether it includes email, general internet use, social networks or any other service that is relevant to the organization. A valid option can also be all services that are used to work in the organization.

In this section, the contents of section (1) of the policy template for acceptable use of computers, accounts, and passwords should be discussed, modified and approved. It is very important that the provisions established in this and the other policies developed are aligned with the rest, in this case with the data protection policy which can provide help when deciding specific guidelines.

2. Device responsibility

Who is responsible for implementing and maintaining security measures in the devices?

Discuss, modify and approve the content of section (2) of the policy template for acceptable use of devices, accounts, and passwords that deals with the ownership of the equipment and the responsibilities for using them and reporting incidents.

  • The most notable variation in this step depends on whether the organization has its own equipment, all the equipment are owned by the members of the organization (BYOD) or a mixture of both modalities. In the template, there are several examples that can be reduced to the particular case of the organization executing the activity.

3. General Device use

What are the general safety measures and directives on the management of devices?

Discuss, modify and approve the content of section (3) of the policy template for acceptable use of computers, accounts, and passwords. Some of the most important aspects discussed in this section are:

  • Authentication means for devices such as passwords or biometrics.
  • Blocking devices when left unattended.
  • Sharing credentials for user device access.
  • Operating system updates.
  • Use of pirated software.
  • Considerations against malware infection.
  • Disk encryption.
    • On computers.
    • On cell phones and other mobile devices
  • Use of devices for purposes other than the work of the organization.
  • Use Antivirus and Antimalware.

User Device Acceptable Use Directives

Discuss, modify and approve the section of directives in section (3) of the corresponding policy template. It is ideal that the group has prior knowledge of specific security issues, being the optimal case to have this discussion after the completion of a digital security workshop, and as each aspect worked in this manual is covered, you can discuss how to implement this concept or tool to the corresponding policy. Take for examples those listed in the template that can be used as they appear, edited or eliminated are, among others:

  • The mandatory use of user passwords on computers and cell phones used to address sensitive issues of the organization. These passwords must comply with the password policies at the end of this document.
  • The mandatory use of screen protectors that block users of computers and cell phones after a certain period of inactivity.
  • The implementation of system encryption: in the case of mobile devices this feature is often activated by default and in the case of computers it may require time, knowledge and special effort to implement an effective disk encryption. In this aspect, it is common to concentrate efforts on those computers that handle highly sensitive data, on device maintenance plans that consider the configuration of this disk encryption or on the use of operating systems that facilitate system encryption by design.
  • The policy of operating system updates: It is generally considered as the minimum necessary to make automated security updates, from that point on it is possible to adjust the policy to each organization according to specific needs.
  • Use antivirus and antimalware software, being able to specify specific approved software or selection criteria.

4. About the use of any communication channel

What are the general security considerations when using any communication channel?

Discuss, modify and approve the content of section (4) of the corresponding template. Some of the most important aspects discussed in this section are:

  • The handling of highly sensitive data through these channels and towards external stakeholders of the organization.
  • Use of user devices for purposes other than work related to the organization.
  • The attitude of the organization’s members when using official communication channels. Attitudes regarding discrimination, harassment, spam, etc. in the communication channels used for organizational purposes.
  • Provisions on the use of the devices to carry out actions that violate the intellectual property rights and copy or distribute material protected by copyright.

5. Internet general purpose directives

What are the general security measures when using the internet?

Discuss, modify and approve the content of section (5) of the corresponding template. In case some consideration does not apply to the organization, it can be eliminated without any consequence. Some of the most important aspects discussed in this section are:

  • The use of circumvention and anonymity instruments on the internet when using computers such as Virtual Private Networks (or VPNs in English), Tor or other similar tools. Normally these measures are associated with levels of sensitivity of the data handled. Since it is a directive, it can be specific in approved point tools or selection criteria.
  • The prohibition of activities that unjustifiably deteriorate the quality of the connection (for example, downloading torrents or streaming content not related to work).

Strategies against identity theft

Given that the most frequent attacks on organizations today are largely related to phishing attacks, it is important to specify clear strategies to face these risks. It is proposed to review in section (5) of the template in use the corresponding section and discuss, edit, add and approve some of the proposed strategies, related to topics such as:

  • Knowledge throughout the organization of the official communication channels of the relevant stakeholders (e.g. Suppliers, staff, public institutions) and avoid any communication or exchange of sensitive information through different channels. (Email addresses, accounts in social networks and telephone numbers among others).
  • The management of communications that request sensitive data such as credentials, banking, and personal information, as well as the development of a series of indicators that help detect possible cases of identity theft.
  • The development of rules for handling suspicious attachments.

6. Account management

What are the general security considerations to follow in the management of user accounts?

Discuss, modify and approve the content of section (6) of the policy template for acceptable use of computers, accounts and passwords. Some of the most important aspects discussed in this section are:

  • Obligation of individual or shared accounts.
  • Responsibility for the use of own accounts.
  • Implementation of the principle of minimum privilege in the creation and configuration of user accounts.
  • Management of account recovery mechanisms.

7. Management of accounts in self-managed services (internal systems, hosted websites, servers, etc.)

What security policies should be implemented with services self-managed by the organization?

Discuss, modify and approve the content of section (7) of the policy template for acceptable use of computers, accounts and passwords. Some of the most important aspects discussed in this section are:

  • Concept of administrators: who creates, monitors, controls and eliminates an account and under what circumstances ?.
  • Who authorizes the creation of the accounts.
  • Avoid administrative accounts for daily use.
  • Non-disclosure agreements (NDA).
  • System access roles.

8. Directives on management of accounts in third-party services (e-mails, social networks, collaboration services, etc.)

What are the security guidelines that should be followed when managing accounts in services hosted by third parties?

Discuss, modify and approve the content of section (8) of the policy template for acceptable use of computers, accounts, and passwords. Some of the most important aspects discussed in this section are:

About the email

  • Publication of personal opinions in the emails.
  • Opening of suspicious attachments.
  • Generation of unwanted or malicious mail.
  • If required in the data protection policy consider mail encryption.

About other third-party services

  • Who manages the access credentials.
  • Use of collaborative publishing tools that protect the credentials of social media accounts.
  • Use of password managers.
  • False accounts monitoring if applied.

For each specific service

  • What characteristics can be configured in addition to those present in the general policy?
For example: Facebook
  • Use of pages vs users or groups.
  • Management of administrators.
  • Security notifications.
  • Authentication in two factors.
  • Emergency contacts.
For example: Twitter
  • Linking phone number to the account.

9. Password and authentication policies and directives

What security aspects should be considered around the management of passwords and other authentication mechanisms?

Discuss, modify and approve the content of section (4) of the corresponding template. Some of the most important aspects discussed in this section are:

  • The basic principle of direct responsibility in the use of accounts, devices or services with a password in their care.
  • Security measures for the creation of passwords, in subsequent steps these measures will be defined in detail.
  • General security practices for passwords.
    • Repetition of passwords.
    • Existence of physical copies.
    • Remembering of passwords in browsers.
    • Use of password managers.
    • Passwords sharing.
  • Policy proposals for passwords and authentication.
    • Length.
    • Complexity
    • Dictionary.
    • Contents to avoid in the construction of the policy.
    • Authentication in several factors.
    • Use of password administrators.
    • Access passwords on mobile devices.

Aspects excluded in the policy

  • Remote device management.
  • Monitoring and auditing compliance with security policies in devices.
  • Explicit prohibition of network monitoring, port analysis and use of honeypots and honeynets.
  • Explicit prohibition of execution of any illegal task, for example denial of service attacks (DoS and DDoS) and blocking of access to resources to other users without justification.

References